Information Security and Cloud Computing

What is Return on Security Investment (ROSI) Anyway?

Credit Pexels

ROSI or Return On Security Investment is simply a way to calculate if a security control is worth implementation or not. For a control to be financially viable, the reduction of risk has to be greater than the cost of implementing security control.

In a very simplistic way, to calculate ROSI, you will calculate monetary risk for a specific incident and subtract the cost of implementing a security control to mitigate the risk. A positive value shows ROSI and the value of security control. A negative value indicates that the control is not worth implementation from a cost-benefit perspective.

ROSI = Reduction in Risk – Cost of Security Control

ROSI Calculators – There are a number of online resources and calculators to measure ROSI and you can select one that you like. Searching on “ROSI Calculator” on the Internet will give you a number of links.

Simplicity – Find a calculator that is simple as ROSI calculations can be very complicated depending upon how granular you want to go. I prefer simplicity at least in the initial phases.

ISACA published ROSI calculations guidelines – These guidelines are available online and can be a good reference to start with. The guidelines are available under guideline number G41 on ISACA web site.

ROSI and Risk Calculations – ROSI is tied to quantitative risk assessment. If your organization is not mature to perform quantitative risk calculations, calculation of ROSI may be tricky but not impossible.

Measuring ROSI is a time-consuming task and should not be used all the time. Here are few things to consider:

Selective Use – ROSI should be used only for major investments in information security. Avoid excessive use to ROSI calculators to save time.

Business Justification Tool – ROSI provides business justification of information security projects. Use it in project plans. It provides credibility of investments in information security.

Rationalize the calculations and share data with your executive team.

Your feedback is very important to me. Please share your thoughts on my Twitter handle at @rafeeq_rehman